[Freeipa-devel] [PATCH] 1111 Use NSS protocol range setter

Jan Cholasta jcholast at redhat.com
Mon Nov 24 13:13:00 UTC 2014 

Dne 21.11.2014 v 16:09 Rob Crittenden napsal(a):
> Jan Cholasta wrote:
>> Hi,
>>
>> Dne 20.11.2014 v 23:26 Rob Crittenden napsal(a):
>>> Use new capability in python-nss-0.16 to use the NSS protocol range
>>> setter. This lets us enable TLSv1.1 and TLSv1.2 for client connections.
>>>
>>> I made this configurable via tls_protocol_range in case somebody wants
>>> to override it.
>>>
>>> There isn't a whole ton of error handling on bad input but there is
>>> enough, I think, to point the user in the the right direction.
>>>
>>> Added a couple more lines of debug output to include the negotiated
>>> protocol and cipher.
>>>
>>> rob
>>
>> 1) The patch needs a rebase on top of ipa-4-1 (applies fine on master)
>
> Attached.
>
>> 2) Could you split the option into two options, say "tls_version_min"
>> and "tls_version_max"? IMO it would be easier to manage the version
>> range that way, when for example you have to lower just the minimal
>> version on a client to make it able to connect to a SSL3-only server.
>
> Sure. I waffled back and forth before deciding on a single value.
> Separate values are probably less error-prone.
>
>> 3) Would it make sense to print a warning when the configured minimal
>> TLS version is not safe and the connection uses a safe TLS version? This
>> is for the case when you have to lower the minimal version on the client
>> because of an old server, then the server gets updated, then you
>> probably no longer want to have unsafe minimal version configured on the
>> client.
>
> I see what you're saying but I think it could end up being just spam
> that user's get used to. That and given that I'd probably want to set it
> up to require tls1.1 as a minimum but we can't do that because dogtag
> only supports through tls1.0 right now AFAICT. That'd be a lot of warnings.

You are probably right about the spam. Nevermind then.

>
>> Functionally the patch is OK.
>
> rob
>

Thanks for the patch, ACK.

Fixed option names in commit message and pushed to:
master: 5c0ad221e815e8c7b95c1d1095ebd6cf18e7e11c
ipa-4-1: 8ef191448f0511b9c1749f47615437d649db0777

BTW before we can close the ticket, we are going to need a couple more 
fixes:

1) Bump required versions of 389-ds-base, pki-core and openldap, once 
the necessary fixes are available.

2) Configure mod_nss to also support TLS 1.2. It should be done on both 
server install and upgrade. This requires a new version of mod_nss.

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list